[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #15951 [Tor]: FairPretender: Pretend as any hidden service in passive mode

Subject: Re: [tor-bugs] #15951 [Tor]: FairPretender: Pretend as any hidden service in passive mode
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Sun, 10 May 2015 01:17:07 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sat, 09 May 2015 21:17:15 -0400
In-reply-to: <044.70dd797acf816c964fa438b75972b259@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
References: <044.70dd797acf816c964fa438b75972b259@xxxxxxxxxxxxxx>
Reply-to: tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#15951: FairPretender: Pretend as any hidden service in passive mode
------------------------+-----------------------------------------
     Reporter:  twim    |      Owner:  twim
         Type:  defect  |     Status:  new
     Priority:  normal  |  Milestone:
    Component:  Tor     |    Version:
   Resolution:          |   Keywords:  tor, hs, descriptor, tor-hs
Actual Points:          |  Parent ID:
       Points:          |
------------------------+-----------------------------------------
Changes (by twim):

 * priority:  major => normal


Comment:

 Replying to [comment:6 arma]:
 > I think the other idea was for the INTRO2 cell to specify what onion
 address the user thought she was going to. Then hidden services can notice
 when clients are visiting them but aren't using the right address.
 >
 > That approach provides more defense-in-depth against future variations
 on this issue. I think it's complementary to Nick's cross-certification
 plan.
 I agree. Also there is another reason for the cross-certification to be
 implemented - it cuts off deceived requests at the descriptor verification
 step. There is no need for client to build up any circuits to the HS (and
 slow down the network).

 However your "Host:"-like verification certainly provides freedom to
 defend against spoofing (doesn't forcing users to defend). At this point
 it becomes almost equivalent to an optional cross-certificate.
 Also a HS operator can track spoofing attacks on the HS with that
 verification.

 It's more about who wants to avoid this issue more: if it's a HS operator
 - check how clients are coming to you, if it's a client - check the
 descriptor carefully before performing any request.

 Good HSes should use both of course.
 >
 > I also agree with Yawning that fixing this particular variant of the
 issue isn't super-urgent, since ultimately it requires tricking the user
 into visiting the wrong address, which is going to be bad news for the
 user in plenty of other ways too.
 Yes, same here.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/15951#comment:8>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

References:
- [tor-bugs] #15951 [Tor]: FairPretender: Pretend as any hidden service in passive mode
  - From: Tor Bug Tracker & Wiki

Prev by Author: Re: [tor-bugs] #15951 [Tor]: FairPretender: Pretend as any hidden service in passive mode
Next by Author: [tor-bugs] #15977 [Tor]: ubuntu 10.04 lucid package server down / package index missing
Previous by thread: Re: [tor-bugs] #15951 [Tor]: FairPretender: Pretend as any hidden service in passive mode
Next by thread: Re: [tor-bugs] #15863 [EFF-HTTPS Everywhere]: Fix spelling of "ruleset" in changelog.txt, for version 5.0.3
Index(es):
- Author
- Thread